The fdroid client (presently) only checks one signature on the index.jar. When you first configure the repo if it finds a pubkey attribute on the index.xml's repo XML then it will subsequently compare that cached attribute value making sure it's the Signature on the index.jar. it doesn't care how many signatures there are as long as the one specified in the index.xml from repo install is there. there isn't any support for more than one pubkey attribute in the XML

When data is transmitted over a secure / authenticated channel, such as OTRDATA the sender implicitly confirms that the repository as a whole and the files are as they are stored on the source (Bob's)system. This doesn't mean that the APKs were not modified before they reached Bob.

Another idea is to have ChatSecure somehow sign the index.jar using the user's existing and trusted OTR private key. This would be useful because it would then have existing trust relationships, but it would be tricky to get Bazaar talking to ChatSecure in the right way.

There are a few ideas on how to do this:

make ChatSecure be a Certificate Authority and sign Certificate Signing Requests

make ChatSecure sign arbitrary files from other apps

make ChatSecure generate secret key, then sign them and pass them to an app